Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29473

UBSAN: Signed integer overflow: X * Y cannot be represented in type 'int' in strings/dtoa.c

Details

    Description

      Similar to MDEV-28374 but no PROCEDURE ANALYSE() is required here.

      CREATE TABLE t (c DOUBLE) ENGINE=InnoDB;
      		 
      INSERT INTO t VALUES ('1e4294967297');

      Leads to:

      10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

      		 
      /test/10.11_dbg_san/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 429496729 * 10 cannot be represented in type 'int'

      10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

      		 
          #0 0x557791cc50de in my_strtod_int /test/10.11_dbg_san/strings/dtoa.c:1481
      		 
          #1 0x557791cc50de in my_strtod /test/10.11_dbg_san/strings/dtoa.c:469
      		 
          #2 0x557791bb71e2 in my_strntod_8bit /test/10.11_dbg_san/strings/ctype-simple.c:799
      		 
          #3 0x55778effb05a in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/10.11_dbg_san/include/m_ctype.h:899
      		 
          #4 0x55778effb05a in Field_real::get_double(char const*, unsigned long, charset_info_st const*, int*) /test/10.11_dbg_san/sql/field.cc:1838
      		 
          #5 0x55778effbb02 in Field_double::store(char const*, unsigned long, charset_info_st const*) /test/10.11_dbg_san/sql/field.cc:4868
      		 
          #6 0x55778f1c5fdd in Item::save_str_value_in_field(Field*, String*) /test/10.11_dbg_san/sql/item.cc:407
      		 
          #7 0x55778f1c641f in Item_string::save_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:6867
      		 
          #8 0x55778d4826df in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool) /test/10.11_dbg_san/sql/sql_base.cc:9196
      		 
          #9 0x55778d482be8 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/10.11_dbg_san/sql/sql_base.cc:9251
      		 
          #10 0x55778d6a3853 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.11_dbg_san/sql/sql_insert.cc:1089
      		 
          #11 0x55778d8fe912 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:4563
      		 
          #12 0x55778d861c88 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8035
      		 
          #13 0x55778d8ce85f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
      		 
          #14 0x55778d8e0a70 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
      		 
          #15 0x55778e351b41 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1418
      		 
          #16 0x55778e35432c in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1312
      		 
          #17 0x1474580e9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
      		 
          #18 0x14745735e132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

      Setup:

      Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1

      Bug confirmed present in:
      MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

      There are a large number of issues seen across versions. All UniqueID's seen: 

      UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|Field_real::get_double|Field_double::store
      		 
      UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Field_real::get_double
      		 
      UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Field_real::get_double
      		 
      UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-25454 Make MariaDB server UBSAN safe

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28374 UBSAN: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int' in sql/sql_analyse.cc

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-28345 ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number

          • Major - Major loss of function.
          • Closed

          Activity

            People

              bar Alexander Barkov
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.